Ethical Issues

Ethical Issues
Ethics refers to the principles of right and wrong that individuals use to make choices to guide their behaviors Code of Ethics a collection of principles that are intended to guide decision making by members of the organization Responsibility means that you accept consequences of your decisions and actions

 Accountability- means determination of who is responsible for actions that were taken Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems

Categories of ethical Issues

Privacy issues - involve collecting, storing, and
discriminating information about individuals

Accuracy issues involve the authenticity, fidelity and

accuracy of information that is collected and processed

Property issues - involve ownership and value of

information

Accessibility issues revolve around who should have

access to the information and whether they should have to pay for this access

Frame work for ethical issues

Privacy Issues What information about oneself should an individual be required to reveal to others? What kind of surveillance can an employer use on its employees? What type of personal information can people keep to themselves and not to be forced to reveal to others? What information about individuals should be kept in databases, and how secure is the information there? Accuracy Issues Who is responsible for authenticity, fidelity, and accuracy of the information collected? How can we ensure users that the information will be processed properly and presented accurately to users? How can we ensure that errors in databases, data transmissions, and data processing are accidental and not intentional? Who is t be held accountable for errors in information, and how should the injured parties be compensated?

Property Issues Who owns the information? What are the just and fair prices for its exchange? How should one handle software piracy Under what circumstances can one use proprietary databases Can corporate computers be used for private purposes? How should experts who contribute their knowledge contribute their knowledge to create expert systems be compensated? How should access to information channels be allocated? Accessibility Issues Who is allowed to access information? How much should companies charge for permitting accessibility to information? How can accessibility to computers b provided for employees with disabilities? Who will be provided with equipment needed for accessing information? What information does a person or an organization have a right or privileged to obtain, under what conditions and with what safeguards?

Protecting Privacy
Privacy is the right to be left alone and to be free of unreasonable personal intrusions. Information Privacy is the right to determine when, and to what extent, information about yourself can be gathered and/or communicated to others.

Several countries bases on court decisions relative to right to privacy

The right to privacy is not absolute. Privacy must be balanced against the needs of society. The publics right to know supersedes the individuals right o privacy.

 Advancement in technology made it easier today to collect and gather information anytime anywhere. Examples: surveillance cameras, in public places, banking transactions, credit card transactions, telephone calls, etc. These data can be integrated to produce a digital dossier, which is an electronic description of you. The process of forming a digital dossier is called profiling.

Electronic surveillance
Many companies monitor their employees usage of the internet. They use software to block connections to inappropriate websites in order to improve employee productivity. This practice is called URL filtering.

Personal Information Databases

Information are actually kept is many visible locations, credit reporting agencies, banks, financial institutions, schools and universities, retail establishments, government and non government agencies, etc.

Concerns relative to personal information kept in the different databases

Where the records are Accuracy Can it be changed in inaccurate, how long can it be processed for changes Under what circumstances do they release these data Where are they used? To whom to they give or sell these data How secure are they against access by unauthorized people?

Privacy codes and policies

Privacy codes or privacy policies are an organizations guidelines with respect to protecting the privacy of customers, clients and employees. Opt-out model of informed consent permits the company to collect personal information until customer specifically requests that the data not be collected

 Opt-in model of informed consent, whereby a business is prohibited from collecting any personal information unless the customer specifically authorizes it.

Sample on Policy guidelines

Data collection Data should be collected on individuals only for the purpose of accomplishing a legitimate business objective Data should be adequate, relevant, and not excessive in relation to the business objective Individuals must give their consent before data pertaining to them can be gathered

Data Accuracy Sensitive data gathered on individuals should be verified before they are entered into the databases Data should, where and when necessary, be kept current The file should be made available so the individual an ensure that the data are correct If there is disagreement about the accuracy of the data, the individuals version should be noted and included with any disclosure of the file

Data confidentiality Computer security procedures should be implemented to ensure against unauthorized disclosure of data. These procedures should include physical, technical, and administrative measures Third parties should not be given access to data without the individuals' knowledge or permission, except as requested by law. Disclosures of data, other than the most routine, should be noted and maintained for as long as the data are maintained. Data should not be disclosed for reasons incompatible with the business objective for which they are collected.

Threats to Information security

Todays interconnected, interdependent, wirelessly networked business environment Governmental legislation Smaller faster, cheaper computers and storage devices Decreasing skills necessary to be a computer hacker International organized crime taking over cybercrime

 Downstream liability Increased employee use of unmanaged devices Lack of management support

Threat to information resource is any danger to which a system may be exposed Exposure of an information resource is the harm or loss, or damage that can result if a threat compromises that resource. Vulnerability is the possibility that the system will suffer harm by threat. Information systems controls are the procedures, devices or software aimed at preventing a compromise to the system

Threats to Information system

Unintentional acts
No malicious intent: human error, deviations in quality service providers, and environmental hazards

Natural disasters
floods, earthquakes, hurricanes, etc.

Technical failures
Problems with software or hardware

Management failures
Lack of funding, lack of interest

Deliberate acts
Extortion, espionage or trespass, vandalism, theft, etc.

Human Mistakes
Tailgating Shoulder surfing Carelessness with laptops and portable devises Opening questionable e-mails Careless surfing Poor password selection and use Carelessness with ones office Carelessness using unmanaged devices Carelessness with discarded equipment

Types of Software attacks

Virus Worm Trojan horse Backdoor Logic bomb Password attack Denial-of-service attack Distributed denial-ofservice attack Phishing attack Zero-day attack

Protecting Information Resources

Risk Management identify, control, and minimize the impact of threats. It involves three process: Risk analysis, risk mitigation, and control evaluation

Risk analysis
Process by which an organization assesses the value of each asset being protected , prioritizes asset to be compromised based on the value

Mitigation
Implement control against threat Developing a means of recovery should the threat become a reality Strategies :
Risk acceptance Risk limitation Risk transference

Difficulties in protecting information resources

Hundreds of potential threats exists Computing resources may be situates in many locations Many individuals control information assets Computer networks can be located outside the organization and are difficult to protect Rapid technological changes Many computer crimes are undetected People tent to violate security procedures Cost of preventing hazards is very Attack occurs even before benefit costs analysis is completed

Control
Physical control Communications controls